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@ A cryptographic protocol for secure communications. 

@ A cryptographic communication system. The system, which employs a novel combination of public 
and private key cryptography, allows two parties, who share only a relatively insecure password, to 
bootstrap a computationally secure cryptographic system over an insecure network. The system is 
secure against active and passive attacks, and has the property that the password is protected against 
off-line "dictionary" attacks. If AJk^ and Bob are two parties who share the password P one 
embodiment of the system involves the following steps: (1) Alice generates a random public key E, 
encrypts it with P and sends P[E) to Bob ; (2) Bob decrypts to get £. encrypts a random secret key R with 
Eand sends £(/?) to Aitca \ (3) Alice decrypts to get R, generates a random challenge Ca and sends R{C^ 
to Bob ] (4) Bob decrypts to get C4, generates a random challenge Cg and sends R(Ca,C^ to Alice ; (5) 
AOce decrypts to get (C^,Cfi), compares the first against the challenge and sends R{Cs) to Bob if they are 
equal ; (6) Bob decrypts and compares with the earlier challenge ; and (7) Alice and Bob can use /? as a 
shared secret key to protect the session. 
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Background of the Invention 
Field of the Invention 

5 This invention relates to cryptographic connmunications In general and, more particularly, to methods and 

systems for establishing authenticated and/or private communications between parties who initially share only 
a relatively insecure secret 

Description of the Related Art 

TO 

Parties often wish to conduct private and authenticated communications. While privacy can be sought 
through physical means it Is often more effident and effective to employ (^yptographlc means. And while au- 
thentication can be sought through physically secure and dedicated facilities, it too can be accomplished more 
easily with cryptographic techniques. 
15 Using classical cryptographic techniques, a party authenticates himself or herself to another party by re- 
vealing knowledge of a secret (e.g.. a password) that Is known only by the respective parties. When the secret 
is revealed, especially if it is communicated over a physically insecure communication channel, it Is susceptible 
to eavesdropping. This permits the eavesdropper to learn the secret and to subsequently impersonate one of 
the parties. 

20 The Kerberos authentication system of MITs Project Athena attempts to solve this problem in the context 

of computer networks. R.M. Needhamand M.D. Schroeder, "Using Encryption for Authentication in Large Net- 
works of Computers," Communications of the ACM. Vol. 21, No. 12, 993-999 (Dec. 1978); and J. Steiner, C. 
Neumann, and J.I. Schiller, "An Authentication Service for Open Network Systems," Proc . Winter US EN IX Con- 
ference. Dallas, 1988. According to the Kert>eros system, each Kerberos system user is given a non-secret 

25 unique login ID and is allowed to choose a secret password. The password is conveyed by the user to the Ker- 
beros system and is held in confidence by both parties. Because the password is kept a secret it may be used 
by the user to authenticate himself to the Kerberos system. 

When a Kert>eros system user desires access to a Kerberos computer, the user sends his or her login ID 
to the Kerberos computer with a request for access. While authentication could be accomplished by requiring 

30 that the user sends his or her password aiong with his or her ID, that technique has the serious disadvantage 
that an eavesdropper could readily ascertain the ID and corresponding password of the user 

To avokj this problem, the Kerberos system authenticates the identity of the user by creating a puzzle 
that can probably be solved only by the bona f kie user. The puzzle can be thought of as a locked box, containing 
a message, that is secured with a combination lock. The puzzle is constructed by the Kerberos system so that 

35 the combination to the combination lock is the seaet password known by the bona fide user associated with 
the received ID. The bona fide user, knowing his or her own password, can use the password to open the lock 
and recover the message inside. When the combination to the combination lock is randomly selected from a 
lange number of possibilities it is infeasible for an impersonator to "pick" the lock. 

The mechanism used to create the puzzle typically uses several steps. First, the Kerberos system gener- 

40 ates a random number as the message to be conveyed to the user. Next, the Kerberos system makes a puzzle 
(containing the random number) such that the user's password is the key to solving the puzzle and recovering 
the message. For example, suppose that according to one dass of puzzles each puzzle is equal to a random 
number plus a number representing the user's password. When the user's password is 3049 and the random 
number is 5294 the puzzle is 6343. 

45 The puzzle is b^ansmitted to the user by the Kerberos system. Continuing with the example, the user, know- 
ing his or her own password, soh^es the puzzle and recovers the message by subtracting his or her password 
(3049) from the puzzle (8343) to recover the message (5294). An eavesdropper knowing the puzzle (8343) 
but not knowing the password is unlikely to discover the message. According to the Kerberos system ail conv 
munications between the user and the Kerberos system after the first puzzle is sent are also in the form of 

50 puzzles. But the key to solving the subsequent puzzles is the random number contained in the first puzzle 
which the Kerberos system and a bona fkle user would know. Authentication occurs implicitly when the user 
and the computer are able to comnnjnicate meaningfully. And because all of the communications are encrypted 
privacy is achieved. 

A discussion on the nomenclature of cryptology is appropriate at this time. Adass of puzzles is known as 
55 a "cryptographic system" or "cryptosystem." The process of making a puzzle is known as "encryption" and the 
process of solving a puzzle to recover the message inside is known as "decryption. " The puzzle Is called "c^ 
phertext" and the message within the puzzle is called "plaintext." The members of a cryptosystem are distin- 
guished by a cryptographic key or key. According to the scheme of a particnilar cryptosystem. a key Is used 
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to lode plaintext Into ciphertext and Is also used to unlock the ciphertext to recove the plaintext 

The key to making a specific puzzle (I.e., lodcing plaintext In ciphertext) Is known as an 'encryption key" 
and the key to solving a puzzle (I.e.. recovering the plaintext from the ciphertext) is known as a "decryption 
key. " When, according to the design of a particular cryptosystem, the encryption key and the decryption key 
5 are identical, the o-yptosystem Is known as a "synrtmetrfc cryptosystem.' The cryptosystem illustrated above 
is a symmetric cryptosystem because the number 3049 is the key to both creating the puzzle and to solving 
It. 

A cryptosystem that has an encryption key E and a different decryption key D such that it is computation- 
ally infeaslble to determine D from E is known as an "asymmetric key cryptosystem* or a "public key crypto- 

10 system." An asymmetric key cryptosystem Is not a symmetric cryptosystem and is therefore useful for initiating 
secure communications between parties who typically have not previously communicated nor share a comnrron 
secret key to a symmetric cryptosystem. In contradistinction to an asymmetric key cryptosystem, a public key 
distribution system permits two remote users to exchange messages back and forth until they arrive at a conv 
mon key to a symmetric key cryptosystem. The fundamental requirement of an asymmetric key cryptosystem 

15 Is that an eavesdropper knowing all of the messages must find it computationally infeaslble to compute the 
comnnon key. 

To avoid repetition of t>ad(ground material W. Diffie and M.E. Hellman, "New Directions in Cryptogra- 
phy, " I.E.E.E . Transactions on Information Theory , Vol. rT-22, No. 6, pp. 644-654 (Nov. 1976) and W. Diffie 
and M.E. Hellman, 'Privacy and Authentication: An Introduction to Cryptography, 'Proceedings of the I.E.E.E., 

20 Vol. 67, No. 3, pp. 397-427 (March 1979) are hereby incorporated by reference. 

Returning to the Kerberos system, an eavesdropper on a communications channel utilizing the Kerberos 
system sees only the person's login ID transmitted in the dear: something that is already public knowledge. 
The person's password is never explicitly transmitted and the key and subsequent messages are enaypted 
and hence ostensibly secure. The Kerberos system, however, has a number of limitations and some weakness- 

25 es. S.M. Bellovin and M. Merritt. "Limitations of the Kerberos Authentication System ' Proc. Winter USENIX 
Conference. Dallas, (1991). People pick bad passwords, and either forget, write down, or resent good ones. 
This allows an eavesdropper to passively record encrypted messages, and to run a modified brute force attack 
on a password by decrypting encrypted messages with candidate passwords until intelligible plaintext is cre- 
ated. Kert>eros has additional flaws, but illustrates a weakness common to all classical two-party key exchange 

30 protocols: the cryptographic passwords are susceptible to off-line, brute-force attacks. Nevertheless, such key 
exchange protocols may be appropriate when the passwords are long randomly selected strings, but pose con- 
siderable difficulty when the passwords are chosen by naive users. 

Other attempts at avoiding the problem of off-line password guessing attacks indude that described by 
T.M.A. Lomas, L. Gong, J.H. Saltzer, and R.M. Needham in "Reducing Risks from Poorly Chosen Keys, " Pro- 

35 ceedings of the Twelfth ACM Symposium on Operating System Principles . SIGOPS, 14-18 (Dec. 1989); and 
L Gong, "Verifiable- text Attacks in Cryptographic Protocols. " Proc. of the I.E.E.E. INFOCOM ^ The Conf. on 
Computer Communications, (1990). Lomas et al. teach a protocol that frustrates most cryptanalytic attacks 
but requires, for purposes of authentication, that each party know, in addition to their respective passwords 
a password, a public key to an asymmetric key cryptosystem. If the public key is to provide any reasonable 

40 level of security it cannot be easDy memorized. 

Summary of the Invention 

The present invention provides a mechanism for establishing private and authenticated communications 
45 between parties who share only a relatively insecure secret by using an approach different from the prior art, 
and whOe avoiding many of the costs and restrictions of prior cryptographic protocols. The communications 
conduded pursuant to the present Invention are more secure than those established with the prior art and 
protect the shared secret (e.g., a password) from being revealed to an eavesdropper. 

These results are obtained In an illustrative embodiment of the present invention In which a portion of one 
50 or more of the messages of a public key distribution system are encrypted with the shared secret as the en- 
cryption key. In this regard the illustrath^e embodiment Is similar to the Kerberos system but is substantially 
different In that the ciphertext is not merely a random number, but a portion of a message of a public key dis- 
tribution system. 

Because an asymmetric key cryptosystem provides a superset of the functionality of a public key dlstrib- 
55 ution system, public key distribution systems are construed to include asymmetric key cryptosystems which 
are utilized to provide the commensurate functionality of public key distribution systems. 
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Brief Description of the Drawing 

FIG. 1 presents a sequence of nrtessages used in an illustrative embodiment of the Invention that utflizes 
an asymmetric key cryptosystem and where the first two message are encrypted with a password. 
5 FIG. 2 presents a sequence of messages used in an illustrative embodiment of the invention that provides 

protection against attacks on the passwords when a session key has been recovered by an attacker. 

FIG. 3 presents a sequence of messages used in an illustrative embodiment of the invention where only 
a portion of the initial message is encrypted with the password. 

FIG. 4 presents a sequence of messages used in an illustrattve embodiment of the invention where only 
10 a portion of the reply message Is encrypted with the password. 

FIG. 5 presents a sequence of messages used In an illustrative embodiment of the invention that utilizes 
a public key distribution system. 

FIG. 6 presents an apparatus that utilizes an asymmetric key cryptosystem and where the first two mes- 
sages are encrypted. 

15 

Detailed Description 



1. NOTATION 



20 The following notation is used throughout 



A B The parties desiring to communicate (A//ce and Bob respectively). 

P The password: a shared secret, often used as a key. 

P„ A key: typically either P or derived from P. 

P(X) The secret key encryption of an argument "X" with key P. 

25 P"'(XJ The secret key decryption of an argument "X" with key P. 

Ea(X) The asymmetric key encryption of an argument "X" with public key 

DaQO The asymmetric key decryption of an argument "X" with private key D^. 

chaltengeA A random challenge generated by Alice. 

challengea A random challenge generate by Bob. 

30 R A session key or a number from which a session key may be derived. 

p, q Prime numbers. 



A symmetric key cryptosystem is a conventional cryptosystem as known up until the 1970's; such synv 
metric key cryptosystems use secret keys. In contradistinction, an asymmetric key cryptosystem uses public 
encryption and private decryption keys. 
35 As used in the followin description and claims, "secure communk:ations" means communications which 
are authenticated and/or private. 

Embodiments of the invention are presented which utilize both public key distribution systems and asym- 
metric key cryptosystems. As used in the following description and dainr^, "public key distribution systems" 
includes asymmetric key cryptosystems providing the functionality of a public key distribution system. 

40 

2. EMBODIMENTS THAT USE ASYMMETRIC KEY CRYPTOSYSTEMS 



The messages exchanged in an illustrative embodiment of the invention are presented in Fig. 1. That typ- 
ical embodiment uses an asymmetric key cryptosystem. Alice 101 and Bob 103 are entities who desire to es- 
45 tablish private and authenticated communications over a channel. The messages shown may be conveyed by 
public or private communicatbns paths, e.g., telephone links. In this embodiment, and in each embodiment in 
the detailed description, Alice and Bob are deemed, prior to the beginning of the message exchange, to share 
knowledge of the secret P. Additionally, in this embodiment, and in each embodiment in the detailed descrip- 
tion, A//C6 is the calling party and Bob b the called party. Referring to Fig. 1: 
50 1 . Alice generates a random public key/private key pair, and O^, and encrypts Ea, or a portion thereof, 
in a symmetric key cryptosystem illustratively of the type described in Data Encryption Standard, Federal 
Informatbn Processing Standards Publication 46, National Bureau of Standards, U.S. Dept of Commerce, 
January 1977, with password P as the key, yielding P (Ea). Alice sends 

P(E^ {msg.^09) 

65 to Bob as shown at 109. Thte message may include other Information such as the identity of the sender, 
or the remainder of the publk: key when a portion of it is not encrypted. 

2. Bob, knowing P, decrypts msg. 109 to obtain P-^ (P{^jO) ' ^a- ^^^ri generates a random secret key 
R, and encrypts it in the asymmetrk: key cryptosystem with key Ea to produce Ea This string is further 
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encrypted with P. Bob sends 

P(E^(Ri) {msg.115) 

to AJice as shown at 115. 

3. Alice, knowing P and Da, uses them to obtain Da(R-^(P{Ea ('^)))=R- 
5 Thereafter, R, or numt>ers derived from R, can be used as a key in further communications between AHce 

and Bob. 

2.1. Key Validation Techniques 

10 Once the parties have agreed to a key R, It may. In certain circumstances, be appropriate for the 
parties to take steps to make sure that the key has not been tampered with during transmission. As 
used In this description, such steps are known as key validation techniques. 

2.1.1. Guarding Against Replay Attacks 

15 

The Illustrative embodiment outlined in Section 2 above may not be suitable for all applications because 
it may not adequately guard against replay attacks. A replay attack is an attempt by an eavesdropper, who has 
control of the communications channel, to Insert old, stale, messages in the communication channel in an at- 
tempt to impersonate either party. Where the possibility of a replay attack exists, a preferred embodiment of 
20 the invention incorporates a mechanism to thwart such an attack. Thus, again referring to Fig. 1 this embodi- 
ment comprises the messages: 

1. As before, the message exchange begins when Alice 101 sends 

P{Ea) {msg.m 

to Bob 103. 

25 2. Again as before, Bob, responds by sending 

P(Ea(R)) (msg.115) 

to Alice. 

3. Upon receipt of msg.115 the challenge-response mechanism begins. Alice decrypts msg.115 to obtain 
R, generates a random string challengeA and encrypts it with R to produce R {chailengej^. She sends 

30 R{challengeA) (msg, 121) 

to Bob as shown at 121. 

4. Bob decrypts msg.121 to obtain challengeA, generates a random string chaUenges, encrypts the two 
challenges with the secret key R and sends 

R(challengeA, challenge^ (msg. 1 27) 

35 to Alice as shown at 1 27. 

5. Alice decrypts msg. 127 to obtain challengeA and challengeQ, and compares the former against her ear- 
lier challenge. When it matches, she encrypts challengeB with R and sends 

R{challengeB) {msg. 1 33) 

to Bob as shown in 133. 

40 6. Upon receipt of msg. 1 33 Bob decrypts to obtain challengeB and compares against the earlier challenge. 
When it matches, the challenge-response mechanism is successful and the parties may use R, or a string 
derived from R, as a session key in further communications. 

The challenge-response portion of the embodiment above could be replaced by other mechanisms for va- 
lidating R. For example, the time could be exchanged encrypted by R, under the security-critical assumption 
45 that clocks are monotonic and, to some extent, synchronized. 

2.1.2 Guarding Against Recovered Session Keys 

When a cryptanalyst recovers a session key R he can use R as a clue to attack P and E>^. Fig. 2 present 
50 the messages exchanged in an illustrative embodiment of the invention that hinders an attack on P or when 
R is known. When there is a chance that a unauthorized cryptanalyst might recover a session key another 
preferred embodiment of the Invention incorporates a mechanism to hinder such an attack. Referring to Fig. 

2: 

1. As before, the message exchange begins when Alice 201 sends 
55 P(E^ (msg.209) 

to Bob 203. 

2. Again as before, Sob, responds by sending 

P(Ea{R)) (msg.215) 

5 
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to Aiice as shown at 215. 

3. Aiice decrypts /nsg.215 to obtain R, randonrtly generates a unique challenge chafiengeA and a random 
subkey Sa, encrypts the challenge and the subkey with R and sends 

Richallenge^, S>0 (msg.221) 

5 to Bob as shown at 22 1 . 

4. Upon receipt of msg.22^, Bob decrypts It to obtain chaiiBnge^ and S^. generates a unique challenge 
chafiengoB, and a random subkey Sg and encrypts the two challenges and his subkey with the secret key 
R and sends 

R {chailengoA, chaHengoB,SB) (msg.227) 

10 to Aiice as shown at 227. 

5. Upon receipt of msg.227 Alice decrypts it to obtain chaltengoA and chailengeB. and compares the former 
against her earlier challenge. When It matches, she encrypts chaliengoB with R to obtain RichallengeB^ 
Alice sends 

R {challengeB) (msg.233) 

15 to Bob as shown in 233. 

6. Upon receipt of msg.233, Bob decrypts it to obtain chailenges and compares it to challengeB of msg.227. 
When it matches, the two parties calculate a key. S =/(S>,.Sa) for some jointly known function /. S is used 
as the secret key to encrypt all subsequent exchanges and R is reduced to the role of a key exchange 
key. 

20 Conceivably, a sophisticated cryptanalyst might be able to use the presence of challenges and responses 

in different messages to attack R. When such an attack is of concern, the responses can be modified to contain 
a one-way function of the challenges, rather than the challenges themselves. Thus, msg.227 could become 

R{g{chaiiengejd* challengeB,Sj^ 
and a simOar change would be made to msg.233. 

25 

2.2 Bilateral Versus Unilateral Encryption 

When a portion of both of the first two messages are encrypted with the password, as are msg.lOS and 
msg.115in the embodiment presented above, the embodiment incorporates what is called bilateral encryption. 
30 In other illustrative embodiments, however, bilateral encryption is not necessary. When only one of the first 
two messages is encrypted it is called unilaterai encryption. Note that there are two types of unilateral encryp- 
tion: (1) when the first messages is encrypted, and (2) when the second message is encrypted. Section 2.2.1. 
shows an illustrative embodiment of the invention where only the first message is encrypted with the password 
and section 2.2.2 presents an illustrative embodiment where only the second message is encrypted. 

35 

2.2.1. An Illustrative Embodiment Using The RSA Asymmetric Key Cryptosystem 

An illustrative embodiment of the invention uses the asymmetric key cryptosystem known as "RSA" and 
taught by R.L. Rivest, A Shamir, and L Adieman in U.S. Patent No. 4,405,829, issued Sept 20, 1983, and in 
40 "A Method of Obtaining Digital Signatures and Public Key Cryptosystems, "Communications of the ACM, Vol. 
21, No. 2, 120-26 (Feb. 1978). An overview of RSA is given before the illustrative embodiment is presented. 

2.2.1.1. An Overview of RSA 

45 The public key Ea for the RSA cryptosystem consists of a pair of natural numbers <e, n, where n is the 
product of two primes p and q, and e is relatively prime to 

<Mn)=(Mp)«q) = {p-1)(<j-1) 
where ^n] Is the Euler Totlent function. It is preferred that p and q be of the form 2p' + 1 and 2 + 1 . respec- 
tively, where p' band q' are primes. The private decryption key d Is calculated such that 
50 ecfe1(mod(p- 1)(<y- 1)). 

A message m Is encrypted by calculating: 

csn7«(nK>dn); 

the ciphertext c Is decrypted by 

mHC<*(modn). 

55 

2.2.1.1. An Illustrative Embodiment Using RSA 

Fig. 3 presents the messages exchanged in an illustrative embodiment of the invention that uses the RSA 
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asymmetric key cryptosystem. Referring to Fig. 3: 

1 . The message exchange begins when Alice 301 generates a random public key/private key pair, £^ and 
D Ea comprises the numbers <e,n. Because n is a prime number It b distinguishabie from a random 
number and must be sent in the clear. To encrypt e, Alice begins with the binary encoding of e and encrypts 

5 all of the bits comprteing e except the least significant bit in a symmetric cryptosystem with password P. 

Alice sends 

P(e).n (msg. 309) 

to Bob as shown at 309. 

2. Bob, knowing P, decrypts msg.ZOQ to obtain P~^{P(e))= e, generates a random secret key R, and en- 
10 crypts it in the asymmetric key o-yptosystem with key Ea to produce Ea {R). In other Qlustrative embodi- 
ments Ea (R) may be encrypted with P, but in the preferred embodiment using RSA. It is not Bob sends 

^a(P) (/nsg.315) 

to Alice as shown at 315. 

3. Upon receipt of Ansg. 31 5 Alice decrypts it to obtain R Thereafter, /?, or numbers derived from R, can 
15 be used as a session key. At this point a key validatton technique, such as the challenge-response mech- 
anism may be implemented. 

One caveat about sending n in the dear is worth-noting; it exposes the password P to the risk of crypta- 
nalysis. More precisely, when n is avaOabte to an attacker, it can be factored and then R would be disclosed 
and P would be exposed to attack. 

20 

2.2.2. An Illustrative Embodiment Using the El Gamal Asymmetric Key Cryptosystem 

The B Gamal cryptosystem, T. El Gamal, "A Public-Key Cryptosystem and a Signature Scheme Based 
on Discrete Logarithms, " I.E.E.E. Transactions on Information Theory , Vol. 31, 469-72 (July 1985). is used in 
25 an illustrative embodiment of the invention as shown in Fig. 4. Unlike the embodiment incorporating RSA, under 
certain circumstances, an embodiment incorporating the El Gamal cryptosystem must encrypt the second 
message, rather than the first 

2.2.2.2. An Overview of the El Gamal Asymmetric Key Cryptosystem 

30 

When Bob desires to send an encrypted message (e.g., the key R) to Alice, Bob must notify that he desires 
to do so. When Alice agrees to receive the encrypted message Alice and Bob then agree on a common base 
a and modulus p. Alice then picks a random number Ra in the interval [O.p-I] and computes a^^* (modp). Next 
Alice sends a'^^ (modp) in the clear to Bob who also picks a random number Rb in the interval [0,p-1] and conrv 
35 putes 

Ci^Re (modp), 
K^a''- (modp))'^- (modp)^''««e (modp) 

and 

R . fC(modp) 

40 The encrypted message that Bob sends to Alice consists of the pair <ai,C2>. 

Alice, knowing Ra and a"* (modp) decrypts the message to recover R by calculating 

K^a«» (modp))''^ (modp)^«-«B (modp) 

and then dividing Cz by K. 

45 2.2.2.3. An Illustrative Embodiment Using the El Gamal Cryptosystem 

The messages exchanged in an iltustratWe embodiment of the Invention that uses the El Gamal asynv 
metric key ayptosystem is presented in Fig. 4. Prior to the first message Alice and Bob are deemed to have 
agreed to values for base a and modulus p. Referring to Fig. 4: 
50 1. Alice 401 generates a random number Ra and computes a'^' (modp). Although Alice may encrypt a^^ 

(mod p) it Is not encrypted In the preferred embodiment Alice sends 

a"- (modp) (msg.409) 

to Bob 403 as shown at 409. This message may indude other information such as the identity of the 
sender. 

55 2. When Bob receives msgAOQ he generates a random number Rb such that a'^ (modp) is randonrdy se- 
lected from the Interval [0,p- 1 ]. Bob also generates a random session key R and computes Ra^^a (modp). 
Bob sends 

P[af^ (modp), R a^-^a (modp)) (rnsg.41 5) 
7 
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to Alice as shown at 41 5. 

3. Alice, knowing P recovers a'''* (nnodp) and consequently R. After receipt of msgA^ 5. one of the key va- 
lidation techniques may be begun. Thereafter. /?. numbers derived from R, or a number derived from a 
validation technique can be used as a session key. 

5 

2.5 Security Considerations 
2.5.1 Partition Attacks 

10 The principal constraint on any embodiment Is that encryptions using P must leak no information. For some 
c^yptosystems this is difficult. For example, the public keys In RSA are always odd. When no special precau- 
tions are taken, an attad<er could rule out half of the candidate values P when P'-^(P(e)) is an even number. 
Upon first inspection, this Is an unimportant reduction In the key space; however, when left uncorrected, it 
can compromise the security of the embodiment. As used in this description, the term "key space" is the range 

15 of possible cryptographk; keys. When the key space is large an unauthorized cryptanalyst attempts to "reduce 
the key space" or eliminate impossible cryptographic keys. By the process of elimination the cryptanaiyst can, 
when given sufficient dues such as the one shown above, reduce the key space down to reveal the actual 
key. 

Recall that each session uses a different public key, Independent of all others previously used. Thus, trial 
20 decryptions resulting in illegal values of & exclude different values of P each time. In other words, each time 
a session key is negotiated an attacker can partitton the remaining candidate key space into two approximately- 
equal halves. The keyspace is thus logarithmically reduced; comparatively few intercepted conversations will 
suffice to reject ail invalid guesses at P. This attack is called a partition attack. 

For some cryptosystems. a minimal partition may be acceptable. Consider a situatksn where integers mod- 
25 ulo some prime p must be enaypted with P. When n bits are used to encode p, trial decryptions yielding values 
in the range [p, 2^ 1] can be used to partition the password space. However, when p is dose to 2'*. perhaps 
even 2^ - 1 , few candidate passwords are exduded by each session. Consequently, p equal to 2'' - 1 is preferred 
while conversely values of p far from 2" - 1 are not preferred. 

Another danger comes from trying to encrypt a number with a cryptosystem that demands a blocksize 
30 larger than the number. The blocksize of a cryptosystem is the amount of plaintext that the cryptosystem can 
encrypt in a single encryption. The number should be padded with random data to bring the total string up to 
the blocksize of the ayptosystem. 

Note that both problems may be eliminated in one operation. Again, assume that one is encrypting integers 
modulo p. Further assume that the desired input encryption block size is m bits where 2'" >p. Let 

35 




P 



The value q is the number of times p fits into t he encryption block size. Therefore choose a random value 
ye [0, q - 1) and add jp to the Input value using non-modulo arithmetic (when the input value is less than 2'" - 
qp, use the Interval (0. q] instead). The recipient, knowing the modulus, recovers the decrypted value to the 
proper range by dividing the input plus Jp by p and taking the remainder. 

45 

3. ILLUSTRATIVE EMBODIMENTS THAT USE PUBLIC KEY DISTRIBUTION SYSTEMS 

An illustrative embodiment of the Invention uses the public key distribution system known as "Dtffle-Hell- 
man " and taught by M.E. Hetlman, W. Diffle and R.C. l^erkle in U.S. Patent No. 4.200,770, April 29, 1980, 
50 and In W. Diff ie and M.E. Hellman, 'New Directions in Cryptography, I.E.E.E. Transactions on Info Theory , 
Vol. 22. No. 6 (Nov. 1976). 

3.1. An Overview of Olff le-Hellman 

55 Diff le-Hellman not a cryptosystem. It is, however, a mechanism for publldy generating a secure key (e.g., 

a session key) for a synunetric o-yptosystem. Briefly. Alice and Bob each pick random exponents Ra and Re- 
Assuming they agree on a conimon base a and modulus All^ computes a^^ (modp) and Bob computes 
(modP). Each party b^nsmits their computed quantity in the dear to the other party. Alice, knowing Ra and 
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a'^ (modp), computes 

/Ma«. (modp))«* (modp^''*^ (modp). 
Similarly, Sob, knowing Rg and a'^* (modp) computes 

R^a"* (modp))«9 (modp^^V^ (nnodp). 
5 The quantity R can then be used as the key In further communications between Alice and Bob. An intruder, 
knowing only a^^* (modp) and a'^s (modp), cannot perform the same calculation. It should be noted, however, 
that Oiffie-Heltman does not provide authentication and is therefore vulnerable to active wiretaps. 

3.2. An lllustrath^e Embodiment Using DIff le-Hellman 

10 

Fig. 5 presents the messages exchanged in an embodiment of the Invention as used In connection with 
the Diff ie-Hellman public key distribution system. Referring to Fig. 5: 

1 . Assuming that Alice 501 and Bob 503 agree on a common base a and modulus p, Alice generates a 
random number and computes a'^* (modp). a'*- (modp) is encrypted in a symmetric key cryptosystem 

15 with the password P as the key and Alice sends 

P{a''-(modp)) (m^.509) 

to Bob as shown at 509. Note that if Ra is random, a^^ (modp) is random and guesses at P will yield no 
useful inforniation. 

2. Similarly, Bob generates a random number Rb and sends 

20 Pta"* (modp) (msg. 51 5) 

to Alice as shown at 515. At this point both Alice and Bob know both a^* (modp) and a^a (nrK)dp) and can 
therefore calculate a session key as shown in Section 3.1. Additionally, one of the key validation techni- 
ques may be commenced once a convnon value is computed by both Mce and Bob. 

25 3.3. Bilateral Versus Unilateral Encryption 

Typically both messages of the Drffie-Heilman public key distribution system are not encrypted. Unilateral 
encryption, the encryption of a portion of at least one of the messages of the Diff ie-Hellman public key dis- 
tribution system, will assure privacy and authentication. Therefore, referring to Fig. 5 it is possible to omit the 
30 encryption of either one, but not both, of the messages in Fig. 5. For example, msg. 509 can be replaced by 

a"* (modp) 

Alternatively /77sg.515 can be replaced by 

(modp) 

That unilateral encryptron preserves the security of the system means that one pair of encryptions and 
35 decryptions can be omitted. Since encryption and decryption can require substantial computing resources and 
time those resources can be omitted and time can be saved. 

3.4 Choosing a and p 

40 a and p can be chosen from among different values, each of which choices reflects a tradeoff between 
cost and security. Although there are a number of possible choices for the modulus, large prime values of p 
are more secure. Furthermore, it is desirable that a be a primitive root of the field GF (P). When p is chosen 
such that 

p = 2p + 1 

45 for some prime p, there are (P-1)/2 = p such values; hence, they are easy to find. Assume those restrictions 
in the discussion that follows. 

It Is somewhat probtematk: for Alice and Bob to agree to common values for a and p without revealing In- 
formation to an attacker. P(P) cannot be transmitted because testing a random number for primality is too easy. 
In one embodiment, a and p are f bced and made public. This embodiment has the advantage that there is no 
50 risk of information leakage or partition attacks. The disadvantage is that implementation become less flexible, 
as all parties must agree on such values. A further disadvantage to making p public is that to maintain security, 
p must be large which in turn makes the exponentiation operations expensh^e. 

Some compromise In the length of the modulus is possible, however. Because in the embodiment the pass- 
word P is used to superencrypt such values; it is not possible to essay a discrete logarithm calculation except 
55 for all possible guesses of P. The goal then is to select a size for p sufficient to make guessing attacks far too 
expensive. Using 200 bits, for which discrete logarithm solutions are estimated to take several minutes even 
after the tables are built, might suffice. 

Another consideration inclines one towards larger moduli, however. When the user's password is conrv 
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promised, recorded exponentials wilt be available to the attacker; these, when solved, will permit reading of 
old conversations. When a large modulus value chosen, all such conversations would remain secure. 

Size requirements for p are derived from a desire to prevent calculations of discrete logarithms In the field 
GF(P). The current best algorithms for such calculations require large amounts of precalculation. When a dif- 

5 ferent p is used each time, an attacker cannot buOd tables in advance; thus, a much smaller, and hence cheaper, 
modulus can be used. Therefore, in the preferred embodiment Alice generates random values of p and a, and 
transmits them In deartext during the Initial exchange. There is little security risk associated with an attacker 
knowing these values; the only problem would be with cut-and-paste attacks. And even this risk is minimal 
when Bob performs certain checks to guard against easily-solvable choices: that p is indeed prime, that it is 

70 large enough (and hence not susceptible to precalculation of tables), that p-1 have at least one large prime 
factor, and that a is a primitive root of GF (P). The latter two conditions are related; the factorization of p-1 
must be known in order to validate a. When p is of the form Ap + 1 , where p Is prime and k a very small Integer, 
both conditions are satisfied. 

Thus far, nothing has been said about choosing a. But when a suitable value of p is chosen, a Is chosen 

15 as a positive root of p. There is no reason not to examine the integers starting with 2; the density of primitive 
roots guarantees that one will be found quite quickly. 

4. THE CRYPTOSYSTEMS 

20 4.1. Selecting a Symmetric Key Cryptosystem 

Symmetric key encryption is used three times in various embodiments: to encrypt the initial asymmetric 
key exchange, to trade challenges and responses, and to protect the ensuing application session. In general, 
the same symmetric key cryptosystem can be used at all three points. 

25 in the initial exchange (e.g., msg.109 and msg.llS), there are severe constraints on the plaintext The mes- 
sages advantageously should not use any other form of tagged data representation. 

In all preferred embodiments, the original plaintext message should not contain any non-random padding 
to match the encryption blocksize, nor any form of error-detecting checksum. Protectran against communica- 
tions errors is typically provided by lower-layer protocols. While cipher block chaining or some similar scheme 

30 may be employed to tie together multiple blocks and hinder cryptanalytic attacks, such mechanisms are not 
typically important because the transmitted bits are random and hence cannot profitably be manipulated by 
an attacker. The challenge/response mechanism provides the necessary defense against such manipulation 
of the messages. 

In one embodiment, the encryption algorithm may be as simple an operation as the bit-wise boolean XOR- 
35 ing of the password with the public key. 

Similarly, the key validation messages typically do not need to be protected by a strong cipher system. 
However, it has been tacitly assumed that it is not feasible for an attacker to perform useful cut-and-paste op- 
erations on encrypted messages. For example, when it is said that Alice sends R{challengeA,challengeB) to 
Bob, and that Bob replies with R{challBng6A^, one might conclude that the attacker could snip out R{<^aliengej) 
40 from the first message, and simply echo it in the second. In all preferred embodiments this advantageously 
should be prevented, of course. Thus, when necessary in the particular cryptosystem being used, standard 
techniques such as cipher block chaining should be employed. Cipher block chaining should prevent such "snip 
and echo' or "cut and paste" attacks. Alternatively, AJic& and Bob could use R to derive distinct subkeys Ra 
and /?Bi each used in only one direction. Other alternative include employing message typing or adding mes- 
45 sage authentication codes; however, these may introduce redundancy undesirable in the face of a ayptana- 
lytic attack. In such situations, the one-way functions mentioned In Section 2.1.2. may be preferable. 

Finally, the use of R In the ensuing login session must not reveal useful information about R. When the 
system Is cryptanalyzed and when R Is recovered, the attacker can then mount a password-guessing attack 
on the message exchange. Furthermore, since this protocol Is applicable to protecting arbitrary sessions be- 
so tween parties, it is best to be cautious, and examine the particular symmetric system under the assumption 
that the adversary may nr^ount chosen-clphertext attacks against the session. When there is any doubt, the 
separate data key exchange key embodiment is preferred. 

4.2 Selecting an Public Key Distribution System 

55 

In principle, any public key distribution system can be used including Merkle's Puzzles, R.C. Merkle, "Se- 
cure Connmunlcalions Over Insecure Channels," Comnrtunicatlons of the ACM. Vol. 21, 294-99 (Apr. 1978). In 
practice, some systems may be ruled out on practical grounds. For example, a system that used many large 
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primes might be Infeasible in some applications. RSA uses at least two such primes; dynamic key generation 
might prove too complex and therefore too expensive for some hardware systenris. 

A second consideration is whether or not a particular system's public keys can be encoded as a randonv 
seeming bit string. It has already been demonstrated how this can be an Issue with RSA. 

5 It is tempting to finesse the issue by instead transmitting the seed of the random number generator used 

to produce the public key. Unfortunately, that may not be applicable In many cases. Apart from the expense 
involved - both sides would have to go through the time-consuming process of generating the keys - the ran- 
dom seed will yield both the public and private keys. And that in turn would allow an attacker to validate a can- 
didate password by retrieving the session key. 

10 The option of transmitting the seed of a random number generator works with exponential key exchange. 
Since the prime modulus may be public anyway, there is nothing to be concealed. Unfortunately, the option 
necessitates both parties to go through the step of generating large prime numbers, albeit while saving on the 
size modulus required. The tradeoff may be worth reconsidering when very fast solutions to the discrete ic^ 
arithm problem are found. 

15 

5. THE APPARATUS TO CARRY OUT THE MESSAGE EXCHANGE 

Fig. 6 presents an illustrative embodiment of an apparatus which can carry out the message exchange 
described in Section 2. This embodiment can be easily modified by a person having ordinary skill in the art to 

20 perform any embodiment of the invention. 

Alice 601 and Bob 603 are two computers, or other standard processing and comnmjnications stations or 
equipment, who share a secret P. which may be stored in a register or the like 600. and desire to establish a 
private and authenticated communication channel 629. The secret Pis stored in a register or the like in both 
Alice and Bob, Alice comprises a transmitter 602. a receiver 612. an key validator 619 and a session commu- 

25 nication unit 625. The transmitter 602 accepts as input t he secret P. The transmitter 602 contains an asymmetric 
key generator 605 which generates a public key and a private key. The public key is passed to a symmetric 
key encryptor 607. The symmetric key encryptor 607 also accepts as input the secret Pand encrypts the public 
key. or a portion thereof, with the secret P as the key to form an initiating message. The initiating message 
is passed from the symmebic key encryptor 607 to a communications channel 609 where it is transmitted to 

30 a receiver 610 in Bob. 

The receiver 610 comprises a symmetric key decryptor 61 1. The symmetric key decryptor 61 1 accepts as 
input the initiating message and the secret P and decrypts the initiating message to recover the public key. 
The public key is passed to the transmitter 620. The transmitter 620 comprises a symmetric key enayptor 61 6, 
an asymmetric key encryptor 617 and a symmetric key generator 618. The symmetric key generator 618 gen- 

35 erates a random symmetric key which is passed to the asymmetric key encryptor 617. The assymetrk: key en- 
cryptor 617 also accepts as input the public key from the receiver 610 and encrypts the symmetric key with 
the public key to form an encrypted key. The encrypted key is passed to the symmetric key encryptor 616, 
which also accepts as input the secret P, where the encrypted key is further encrypted with the secret P to 
form a response message. The response message is passed from the symmetric key encryptor 61 6 to a conv 

40 munications channel 615 where it is transmitted to a receiver 612 in Alice, 

The receiver 612 comprises a symmetric key decryptor 614 and an asymmetric key decryptor 613. The 
symmetrickey decryptor 614 accepts as input the secret Pand the response message, decrypts the response 
message to recover the encrypted key and passes it to the asymmetric key decryptor 613. The asymmetric 
key decryptor 613 also accepts as input the private key passed from the asymmetric key generator 605 and 

45 uses it to decrypt the encrypted key to recover the symmetric key. The symmetric key is passed from the asynrv 
metric key decryptor 613 to the key validator 619. Analogously, in Bob, the key generator 61 8 passes the synv 
mebric key to 6ob's key validator 623. A//ce's key generator 619 and Sob's key generator 623 communicate 
with each other via a communications channel 621 to validate the symmetric key. The purpose of validating 
the key is to assure that neither >A//ce nor Bob are being impersonated by an unauthorized eavesdropper who 

60 may have discovered the secret P. 

Upon validation, Alice*B key validator 619 passes the symmetric key to the session communication unit 
625 which uses the key in further communications with Bob over communications channel 629. While the com- 
munications channels 609, 615, 621 and 629 are shown for simplicity of exposition as separate channels, it 
should be understood that in practice two or more of these channels may be the same physical channel suitably 

55 multiplexed in accordance with well known principles and practice. Analogously, Bob's key validator 623 pass- 
es the symmetric key to a session communication unit 627 which uses the key In further communlcattons with 
Alice over communications channel 629. 
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6. APPUCAT10NS 

Embodiments of the invention can be used for secure public telephones. When someone wishes to use a 
secure public telephone, some keying information will typically be provided. Conventional solutions require that 
the caller possess a physical key. Embodiments of the invention permits use of a short, keypad-entered pass- 
word, but uses a much longer session key for the call. 

Embodiments of the present invention can be used with cellular telephones. Fraud has been a problem 
In the cellular Industry; embodiments of then can defend against fraud (and ensure the privacy of the call) by 
rendering a telephone useless when a PIN or other key has not been entered. Since the PIN or other key is 
not stored within the telephone, it Is not possible to retrieve one from a stolen unit 

Embodiments of the Invention also provide a replacement for RIvest and Shamir's Interlock Protocol, R.L. 
Rivest and A. Shamir, "How to Expose an Eave^ropper," Communications of the ACM , Vol. 27, No, 4. 393- 
95(1984). 



Claims 

1. A method for establishing secure communications between a plurality of parties who share a secret, 
CHARACTERIZED BY the steps of: 

sending a first message of a public key distribution system to a party; and 
receiving a second message of the public key distribution system in response to the first message; 
wherein at least a portion of at least one of the first message and the second message are en- 
crypted with the secret as a key. 

2. The method of claim 1 wherein at least a portion of at least one of the first message and the second mes- 
sage are encrypted in a symmetric key cryptosystem. 

3. The method of claim 1 wherein at least a portion of both the first message and the second message are 
encrypted in a symmetric key cryptosystem. 

4. The method of claim 1 wherein the first message and the second message are messages of a public key 
cryptosystem. 

5. The method of claim 1 wherein the first message and the second message are used to obtain a session 
key. 

6. The method of dalm 5 further comprising the step of: 

validating the sesston key. 

7. A method for establishing secure convnunications between a plurality of parties who share a secret, 
CHARACTERIZED BY the steps of: 

receiving a first message of a public key distribution system from a party; and 
sending a second message of the public key distribution system In response to the first message; 
wherein at least a portion of one of the first message and the second message are encrypts with 
the secret as a key. 

8. The method of dalm 7 wherein at least a portion of at least one of the first message and the second mes- 
sage are enaypted in a symmetric key cryptosystem with the secret as a key. 

9. The method of dalm 7 wherein at least a portion of both the first message and the second message are 
enaypted in a symmetric cryptosystem with the secret as a key. 

1 0. The method of daim 7 wherein the first message and the second message are messages of a public key 
cryptosystem. 

11. The method of claim 7 wherein the first message and the second message are used to obtain a session 
key. 

12. The method of daim 11 further comprising the step of: 
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valtdating the session key. 

13. An apparatus for establishing secure contmunications between a plurality of parties who share a secret, 
the apparatus comprising: 

nneans 602 for sending a first nrrassage of a public key distribution systenrt to a party; and 
means 612 for receiving a second message of the public key distributton system in response to 
the first message; 

wherein at least a portion of at least one of the first message and the second message are en- 
crypted with the secret as a key. 

14. The apparatus of daim 1 3 wherein at least a portion of at least one of the first message and the second 
message are encrypted in a symmetric key cryptosystem. 

15. The apparatus of daim 1 3 wherein at least a portion of both the first message and the second nr^sage 
are encrypted in a symmetric key cryptosystem. 

16. The apparatus of daim 13 wherein the first message and the second message are messages of a public 
key cryptosystem. 

1 7. The apparatus of claim 1 3 wherein t he first message and t he second message are used to obtain a session 
20 key. 

1 8. The apparatus of daim 1 7 further comprising: 

means 619 for validating the session key. 

25 19. An apparatus for establishing secure connmunications between a plurality of parties who share a secret, 

the apparatus comprising: 

means 610 for receh^ng a first message of a public key distribution system from a party; and 
means 620 for sending a second message of the public key distribution system in response to the 

first message; 

20 wherein at least a portion of at least one of the first message and the second message are erv 

crypted. 

20. The apparatus of daim 19 wherein at least a portion of at least one of the first message and the second 
message are encrypted in a symmetric key cryptosystem with the secret as a key. 

35 

21. The apparatus of daim 19 wherein at least a portion of both the first message and the second message 
are encrypted in a symmetry key cryptosystem. 

22. The apparatus of daim 19 wherein the first message and the second message are messages of a public 
key cryptosystem. 

23. The apparatus of claim 1 9 wherein the first message and the second message are used to obtain a session 
key. 

24. The apparatus of daim 23 further comprising: 
45 means for validating the session key. 



50 



40 



55 



13 



03/15/2004, EAST Version: 1.4.1 



EP 0 535 863 A2 



FIG. 1 



101 



AUCE 



P(Ea(R)) 



1 



Xf(CHALLENGEA) 



109 
115. 



, R(CHAUf<GEA£lAU£5GEB^^ 
j:i(9lALLB^GEB) 



133 



103 



FIG. 2 



101 , 103 







^209 






■ CffEA)_____^ 








^215 




AUCE 


_rR(CHAU^GE,^ 


^221 


BOB 




^^(CHAU^^ 


^227 






(■RCCHALrPMniij^^ 


^233 







14 



03/15/2004, EAST Version: 1.4.1 



EP053S 863 A2 



FIG. 3 




FIG. 4 




.403 





^409 






^415 


BOB 







FIG. 5 




p P(a'^'(tnodp)) 




15 



03/15/2004, EAST Version: 1.4.1 



BP 0 535 863 A2 




oi 

V) • 

^8 




3» 



d 




y 2 

a: O 

is 

< Q 



Ir 

S 



.u3 

8^ 



z 
O 

< 
> 



z z 
g :3 

CO ^ 

•^8 



16 



03/15/2004, EAST Version: 1.4.1 



